'''Note:''' Debian 6.0 is the final version to include precompiled Linux-Vserver kernels. In newer versions (including Debian Testing), you'll have to compile the kernel yourself or [http://linux-vserver.org/Frequently_Asked_Questions#Were_can_I_get_newer_versions_of_VServer_as_ready_made_packages_for_Debian.3F use a pre-packaged kernel]. [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574529]

+

This guide is written against Debian Etch (4.0) and works on Lenny (5.0) as well. Both releases include kernel '''linux-image-vserver-686''', so no manual patching is needed. Hence, Installation on Debian Etch/Lenny is pretty easy and straightforward.

This guide is written against Debian Etch (4.0) and works on Lenny (5.0) as well. Both releases include kernel '''linux-image-vserver-686''', so no manual patching is needed. Hence, Installation on Debian Etch/Lenny is pretty easy and straightforward.

−

If you need to compile your own kernel, you need to apply the vserver-version.patch. [http://www.kwu.hu/blog.php Details at 2007/Apr/25]

+

If you need to compile your own kernel, you need to apply the vserver-version.patch. [http://www.kwu.hu/vserver.txt Details at 2007/May/04]

+

+

In lenny and etch the tools are for the 2.2 version of vservers, you can find on beng repository packages for the 2.3 version of util-vserver until it is integrated in debian. See

+

* [[util-vserver:Devdebianpackage]] - Info about debian v2.3 package from the community

+

* explanation on how to use this repository from: http://kernels.bristolwireless.net/ How to use the Debian Repository

Line 35:

Line 41:

Running ''vserver-info'' will show you that the proper util-vserver is installed. :)

Running ''vserver-info'' will show you that the proper util-vserver is installed. :)

Debian already contains vservers kernels, so no manual patching and compiling is needed.

Debian already contains vservers kernels, so no manual patching and compiling is needed.

+

{|class="wikitablenowrap"

{|class="wikitablenowrap"

!Debian release

!Debian release

Line 43:

Line 57:

!VServer version

!VServer version

|-

|-

−

| Etch

+

| Squeeze

−

| 2.6.18+6

+

| 2.6.32

−

| 2.0.2.2-rc9

+

| 2.3.0.36.29.6

|-

|-

| Lenny

| Lenny

| 2.6.26+17

| 2.6.26+17

| 2.3.0.35

| 2.3.0.35

+

|-

+

| Etch

+

| 2.6.18+6

+

| 2.0.2.2-rc9

+

|-

|-

|}

|}

−

== Issues with the current 2.6.26 Kernel ==

+

The Vserver versions given above are not completely pure, they have additional patches to fix various issues.

+

+

Information on alternative Debian repositories with more functional packages is [[Frequently_Asked_Questions#Were_can_I_get_newer_versions_of_VServer_as_ready_made_packages_for_Debian.3F | contained in this section of the FAQ]].

+

+

== Issues with Squeeze's 2.6.32 Kernel and Util-vserver ==

+

+

* Util-vserver shipping with debian, does not have the symbolic link for squeeze, fixed by

+

ln -s debian /usr/lib/util-vserver/distributions/squeeze

+

+

== Issues with Lenny's 2.6.26 Kernel and Util-vserver ==

=== Hard CPU scheduling ===

=== Hard CPU scheduling ===

−

This will not work in the Debian 'Lenny' Kernel.

+

This will not work in the Debian 'Lenny' Kernel, the patch used simply does not contain any of this functionality.

−

=== Unification and Chroot Security Problems ===

+

=== Problems due to Xattrs ===

−

Linux-Vserver uses file xattrs to protect guest superusers from being able to view files above their root, preventing access to host file. The patch used in Debian Lenny contains a different position of the flag which controls this barrier to escaping a guests chrooted enviroment. There is also a discrepancy between the immutable-unlink flag used for file unification. This creates a considerable security issues for anyone who:

+

There are two sets of issues within the Lenny kernel caused by the change in value of the Xattrs (extended attributes) applied to file in Vserver setups. The patch used in Debian Lenny uses Xattr flags which are set in positions which differ from the flags set by Debian kernels as well as most of the mainline Vserver patches. This result is that Xattrs of files in a non lenny system appear to have completely different flags in Lenny and vice versa. Since these flags are crucial to vserver hashification and chroot security, they can have devastating effects on Vserver guests and on host system security. If you have recently moved to or away from the stock Lenny Vserver kernel, have look at the symptoms below to see if any match your experiences, and apply the fixes/use another kernel as you see fit.

+

+

As of writing these issue has not been corrected within the Debian archive. These fixes must be applied whenever moving vserver guest '''from''' or '''to''' the Debian 'Lenny's vserver kernel. For more details and a more concise explanation see [http://irc.13thfloor.at/LOG/2009-05/LOG_2009-05-12.txt Bertls IRC explanation ].

+

+

==== Chroot Security Problems ====

+

+

Linux-Vserver uses file Xattrs to protect guest superusers from being able to view files above their root, preventing access to host file. This creates issues for anyone who:

* has created a guest with a Debian 2.6.26-*-vserver kernel and wishes to use it with another kernel.

* has created a guest with a Debian 2.6.26-*-vserver kernel and wishes to use it with another kernel.

* has created a guest with a different kernel and wishes to use it on a Debian 2.6.26-*-vserver kernel based host.

* has created a guest with a different kernel and wishes to use it on a Debian 2.6.26-*-vserver kernel based host.

+

+

In effect, the barrier normally in place for guest servers is not recognised by the kernel (the chroot problem) in the situation above and/or immutable links will not function correctly (the unification problem)failing to break when overwritten) in a unified guest setup. Symptoms suffered may include:

+

+

* the possibility of vserver guest processes escaping their chroots and accessing other parts of the filesystem

+

* guest not starting

+

+

To fix the barrier flags for a current kernel, see [[Secure_chroot_Barrier#Solution:_Secure_Barrier | these instructions]]. Note that on some setups a barrier flags will appear on all directories under the guest hierarchy, and need to be unset in order to allow the servers to run. Use showattr to reveal the state of play for your guests and fix appropriately.

+

+

==== Unification Problems ====

+

+

There is a discrepancy between the immutable-unlink flag used for file unification, the process used in vhashify. This creates considerable issues for anyone who:

+

* has unified guests with a Debian 2.6.26-*-vserver kernel and wishes to use them with another kernel.

* has unified guests with a Debian 2.6.26-*-vserver kernel and wishes to use them with another kernel.

* has unified guests with a different kernel and wishes to then it on a Debian 2.6.26-*-vserver kernel based host.

* has unified guests with a different kernel and wishes to then it on a Debian 2.6.26-*-vserver kernel based host.

−

In effect, the barrier normally in place for guest servers is not recognised by the kernel in the situation above and/or immutable links will not function correctly (failinf to break when overwritten) in a unified guest setup.

+

Symptoms suffered may include:

−

==== fixing the problem ====

+

* file that cannot be deleted

+

* any process involving the writing of files in guests not working

+

* files not being unlinked on write

−

As of writing this issue has not been corrected within the Debian archive. To fix the barrier flags for a current kernel, see [[Secure_chroot_Barrier#Solution:_Secure_Barrier | these instructions]]. In order to fix the problem in unified environment each file on each server must be unlinked then the unification re-applied. These fixes must be applied whenever moving vserver guest '''from''' or '''to''' the Debian 'Lenny's vserver kernel.

+

To fix the problem each file must be unlinked then the unification re-applied, or one could try this script submitted to [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508523 bugs.debian.org].

−

For more details and a more concise explanation see [http://irc.13thfloor.at/LOG/2009-05/LOG_2009-05-12.txt Bertls IRC explanation ].

−

A script for handling the unification problem with having to re-unify is given at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508523

+

=== /proc/mounts issue ===

+

+

The vserver's /proc/mounts let appear the vserver path on the host. lsof (for example) is able to print it.

+

+

=== "Ghosts" guests ===

+

+

==== Issue ====

+

Sometimes a guests loose it's name in vserver-stats and is acting like a zombie. It's impossible to restart or kill it. Stopping all the guests with the util-vserver init.d script doesn't solve the issue. vkill --xid $CTX doesn't either.

Revision as of 12:03, 20 February 2013

Note: Debian 6.0 is the final version to include precompiled Linux-Vserver kernels. In newer versions (including Debian Testing), you'll have to compile the kernel yourself or use a pre-packaged kernel. [1]

This guide is written against Debian Etch (4.0) and works on Lenny (5.0) as well. Both releases include kernel linux-image-vserver-686, so no manual patching is needed. Hence, Installation on Debian Etch/Lenny is pretty easy and straightforward.

Issues with Squeeze's 2.6.32 Kernel and Util-vserver

Util-vserver shipping with debian, does not have the symbolic link for squeeze, fixed by

ln -s debian /usr/lib/util-vserver/distributions/squeeze

Issues with Lenny's 2.6.26 Kernel and Util-vserver

Hard CPU scheduling

This will not work in the Debian 'Lenny' Kernel, the patch used simply does not contain any of this functionality.

Problems due to Xattrs

There are two sets of issues within the Lenny kernel caused by the change in value of the Xattrs (extended attributes) applied to file in Vserver setups. The patch used in Debian Lenny uses Xattr flags which are set in positions which differ from the flags set by Debian kernels as well as most of the mainline Vserver patches. This result is that Xattrs of files in a non lenny system appear to have completely different flags in Lenny and vice versa. Since these flags are crucial to vserver hashification and chroot security, they can have devastating effects on Vserver guests and on host system security. If you have recently moved to or away from the stock Lenny Vserver kernel, have look at the symptoms below to see if any match your experiences, and apply the fixes/use another kernel as you see fit.

As of writing these issue has not been corrected within the Debian archive. These fixes must be applied whenever moving vserver guest from or to the Debian 'Lenny's vserver kernel. For more details and a more concise explanation see Bertls IRC explanation .

Chroot Security Problems

Linux-Vserver uses file Xattrs to protect guest superusers from being able to view files above their root, preventing access to host file. This creates issues for anyone who:

has created a guest with a Debian 2.6.26-*-vserver kernel and wishes to use it with another kernel.

has created a guest with a different kernel and wishes to use it on a Debian 2.6.26-*-vserver kernel based host.

In effect, the barrier normally in place for guest servers is not recognised by the kernel (the chroot problem) in the situation above and/or immutable links will not function correctly (the unification problem)failing to break when overwritten) in a unified guest setup. Symptoms suffered may include:

the possibility of vserver guest processes escaping their chroots and accessing other parts of the filesystem

guest not starting

To fix the barrier flags for a current kernel, see these instructions. Note that on some setups a barrier flags will appear on all directories under the guest hierarchy, and need to be unset in order to allow the servers to run. Use showattr to reveal the state of play for your guests and fix appropriately.

Unification Problems

There is a discrepancy between the immutable-unlink flag used for file unification, the process used in vhashify. This creates considerable issues for anyone who:

has unified guests with a Debian 2.6.26-*-vserver kernel and wishes to use them with another kernel.

has unified guests with a different kernel and wishes to then it on a Debian 2.6.26-*-vserver kernel based host.

Symptoms suffered may include:

file that cannot be deleted

any process involving the writing of files in guests not working

files not being unlinked on write

To fix the problem each file must be unlinked then the unification re-applied, or one could try this script submitted to bugs.debian.org.

/proc/mounts issue

The vserver's /proc/mounts let appear the vserver path on the host. lsof (for example) is able to print it.

"Ghosts" guests

Issue

Sometimes a guests loose it's name in vserver-stats and is acting like a zombie. It's impossible to restart or kill it. Stopping all the guests with the util-vserver init.d script doesn't solve the issue. vkill --xid $CTX doesn't either.